How to align security and development teams

If collaboration between the security and development teams is ineffective, serious vulnerabilities will still make it into your organisation’s finished applications.

In many organisations there’s a serious disconnect between your security and development teams. Both teams work hard at their respective roles, but if collaboration between the two is ineffective, serious vulnerabilities will still make it into your organisation’s finished applications. To help improve your application security, I’m looking at 4 things CSOs can do to improve collaboration between their security and development teams.

1) Roll-out Security Awareness Training

The biggest cause of misalignment between security and development teams is a lack of understanding. Few developers have an up-to-date understanding of security risks and how to mediate them, and security teams rarely understand the time- and results-driven pressures that your dev team faces. To improve alignment between both teams, you need to develop a culture of security in your organisation. Rolling out security awareness training across your organisation is a fantastic way to encourage everyone in your organisation – including your development team – to think of security as part of their role.Basic security awareness training lays the groundwork for more tailored, role-specific training in the future, to further align security and development teams’ knowledge and experience.

2) Prioritise Defensive Coding

It’s likely that your security teams will regularly identify vulnerabilities in your applications, usually stemming from insecure coding practices. By teaching developers the best practices of secure coding, your organisation can reduce vulnerabilities at the source - reducing the mistakes and loopholes making it into finished code. Additionally, by prioritising secure coding, you are emphasising that security is a whole-company priority, not something that only your security team should be concerned with. This helps to align your development and security teams around the same aim: creating a secure application – not just a functional one.

Without security education, few developers will have the necessary knowledge and understanding to remediate against vulnerabilities in the applications they develop. And without the education to understand what coding practices are introducing these vulnerabilities, the same problems will occur again and again. It is essential that your security team offers explicit remediation advice to developers when they identify vulnerabilities during testing. This advice should contain real code examples for developers to follow and learn from.While this may initially seem excessively time-consuming, over the longer-term your security team should notice that fewer vulnerabilities are creeping in to your developers’ code, as they learn from the advice security provides.

4) Foster Empathy Between Security and Developers

Without a shared understanding of their respective roles and responsibilities, it's extremely difficult for your security and development teams to engage in an effective way. Your developers are judged on the efficacy of their code, not its security, and work to increasingly tight deadlines. It’s vital that security teams understand the challenges faced by developers. They don’t choose to ignore your security team’s feedback; they simply don’t have the time or resources to make security a priority. With a combination of empathy and improved communication, you can align security and development teams around the same outcomes – and completely transform your organisation’s application security.